Two-factor authentication
Griffin requires two-factor authentication (2FA) every time you log in or make a payment. You must authenticate using a passkey stored on a security device of your choice.
How it works
We use a web standard protocol called WebAuthn to generate a private passkey, which is stored on your chosen security device. This is paired with a public key that is stored on our servers and associated with your account. Both pieces of the pair are needed to generate the authentication token that allows you to log in.
When you create a new Griffin account you will be prompted to register a passkey, which will be stored on your chosen device.
When you log in to your Griffin account, you will need to authenticate yourself using your registered passkey.
What devices can I use?
The table below shows the devices you may use to register and store a passkey, and the system requirements for using it with your Griffin account.
| Device | Passkey device requirements | Laptop/computer requirements |
|---|---|---|
| Physical security device | Must be FIDO2 compatible (we recommend YubiKeys) | None |
| Apple device | Must have iOS 16 or later | Must have bluetooth |
| Android device | Must have Android 9.0 or later, and have screen lock enabled | Must have bluetooth |
Regardless of the device you use, your operating system and browser combination must be compatible with roaming authenticators.
Registering a passkey on your security device
Right now, we only support one security device per account and you will need it every time you want to log in or make a payment - so please choose a trusted device that you will always have on hand!
Click Register device to get started.
In the WebAuthn pop-up, select your preferred option and follow the instructions. If you choose a phone or tablet, you will need to scan the QR code.
WebAuthn might look a bit different depending on your browser and OS (this example uses a MacBook with Google Chrome). If the pop-up only gives you one option when adding a device, you may need to click Use a different device (or Cancel on Windows) to see the option to use your phone or tablet.
You don’t need a special authenticator app to scan the QR code - just open your device’s camera and point it at the screen. You'll be prompted to store your passkey in your device’s password manager (iCloud Keychain in this example).
Using your passkey to log in and make payments
Every time you log in to Griffin, you will need to have your security device on hand so you can authenticate using your passkey. Similarly, whenever you send a payment, clicking Confirm and send will prompt you to authenticate using your passkey.
When prompted, select the device type where your passkey is stored and follow the instructions. If you are using a phone, you will need to scan the QR code.
Lost or stolen devices
If the device where you store your passkey is lost or stolen, you should contact us immediately at support@griffin.com so that we can remove the passkey from your account.
For security purposes, we need approval from another admin in your organisation before we deactivate a passkey.
Once your passkey has been removed, you will be prompted to register a new one the next time you log in. You will not be able to log in to your Griffin account until you’ve registered a new passkey.